Spectra - 0xLogos's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Platform: Code4rena

Start Date: 23/02/2024

Pot Size: $36,500 USDC

Total HM: 2

Participants: 39

Period: 7 days

Judge: Dravee

Id: 338

League: ETH

Spectra

Findings Distribution

Researcher Performance

Rank: 25/39

Findings: 1

Award: $80.57

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Spectra

Findings Information

🌟 Selected for report: jnforja

Also found by: 0xDemon, 0xLogos, 0xhacksmithh, 14si2o_Flint, Aymen0909, Brenzee, Franklin, Giorgio, JohnSmith, Limbooo, Shubham, ZanyBonzy, btk, dimulski, erosjohn, lsaudit, memforvik, mrudenko, nmirchev8, sl1, smaul, wangxx2026

Awards

80.5733 USDC - $80.57

Labels

bug

2 (Med Risk)

partial-75

sufficient quality report

:robot:_33_group

duplicate-210

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L806-L808 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L829-L831 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L460

Vulnerability details

Impact

PrincipalToken not compliant with EIP-5095. This can render unusable external integrations.

Proof of Concept

withdraw MUST support a withdraw flow where the principal tokens are burned from holder directly where holder is msg.sender or msg.sender has EIP-20 approval over the principal tokens of holder. But contract allows only owner to withdraw
Same for redeem (code)
maxRedeem MUST not revert, but it reverts in case of protocol pause

Tools Used

Manual review

Recommended Mitigation Steps

Remove owner check in _beforeRedeem/Withdraw and add following lines (adapted from openzeppelin ERC4626):

if (msg.sender != owner) {
    _spendAllowance(owner, caller, shares);
}

Remove whenNotPaused modifier from maxWithdraw

Assessed type

Other

#0 - c4-pre-sort
2024-03-03T09:20:02Z

gzeon-c4 marked the issue as duplicate of #33

#1 - c4-pre-sort
2024-03-03T09:20:05Z

gzeon-c4 marked the issue as sufficient quality report

#2 - c4-judge
2024-03-11T00:33:34Z

JustDravee marked the issue as satisfactory

#3 - c4-judge
2024-03-11T00:33:38Z

JustDravee marked the issue as partial-75

Spectra - 0xLogos's results

A permissionless interest rate derivatives protocol on Ethereum.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] PrincipalToken not compliant with EIP-5095 - $80.57

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-03-03T09:20:02Z

#1 - c4-pre-sort2024-03-03T09:20:05Z

#2 - c4-judge2024-03-11T00:33:34Z

#3 - c4-judge2024-03-11T00:33:38Z

#0 - c4-pre-sort
2024-03-03T09:20:02Z

#1 - c4-pre-sort
2024-03-03T09:20:05Z

#2 - c4-judge
2024-03-11T00:33:34Z

#3 - c4-judge
2024-03-11T00:33:38Z